* Ulf Harnhammar [2006-11-08 23:14:16+0100] > I've just verified that elog in stable is vulnerable to > all issues mentioned in bug #392016.
Thank you very much for looking into this! I've got another report attached below. I'll look into this problem also and will keep this bug report open as I think elog should not enter to Etch due to all potential security issues which increase the work-load on our security team during the stable release cycle. ---------------------------------->8--------------------------------------- FYI Hi, We are working with Mr. Stefan Ritt on this issue and waiting for the fix. Thanks, OS2A Forwarded Conversation Subject: ELOG Web Logbook Remote Denial of Service Vulnerability ------------------------ From: OS2A BTO <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Wed, Nov 8, 2006 at 6:12 PM Attachments: os2a_1008.txt Hi, We recently came across a Denial of Service vulnerability in ELOG's elogd server which allows attackers to crash the service, thereby preventing legitimate access. Attached is our security advisory which describes the vulnerability in detail. Please let us know the time you might require to fix this issue. And also let us know if you have any questions. A quick and positive response from your side would be highly appreciated. Thanks, OS2A Team. -------- From: Stefan Ritt <[EMAIL PROTECTED]> To: OS2A BTO <[EMAIL PROTECTED]> Date: Wed, Nov 8, 2006 at 6:31 PM Dear OS2A team, thank you for reporting this vulnerability and for the detailed analysis, I really appreciate. I fixed this problem and just released version 2.6.2-7 (SVN revision 1746). Best regards, Stefan Ritt -- Dr. Stefan Ritt Phone: +41 56 310 3728 Paul Scherrer Institute FAX: +41 56 310 2199 OLGA/021 mailto:[EMAIL PROTECTED] CH-5232 Villigen PSI http://midas.psi.ch/~stefan [Quoted text hidden]> ------------------------------------------------------------------------ > > ELOG Web Logbook Remote Denial of Service Vulnerability > > > OS2A ID: OS2A_1008 Status: > 10/31/2006 Issue Discovered > 11/08/2006 Reported to the Vendor > -- Fixed by Vendor > -- Advisory Released > > > Class: Denial of Service Severity: Medium > > > Overview: > --------- > The Electronic Logbook (ELOG) is part of a family of applications known as > weblogs. ELOG is a remarkable implementation of a weblog in its simplicity of > use and versatility. > http://midas.psi.ch/elog/index.html > > Description: > ------------ > Remote exploitation of a denial of service vulnerability in ELOG's > elogd server allows attackers to crash the service, thereby preventing > legitimate access. > > The [global] section in configuration file elogd.cfg is used for settings > common to all logbooks. The vulnerability is due to improper handling of an > HTTP GET request if logbook name 'global' (or any logbook name prefixed > with global) is used in the request. When such a request is received, > a NULL pointer dereference occurs, leading to a crash of the service. > > Only authenticated users can exploit this vulnerability if the application > is configured with password. > > Impact: > ------- > Successful exploitation allows a remote attacker to crash the elogd server. > > Affected Software(s): > --------------------- > ELOG 2.6.2 and prior. > > Proof of Concept: > ----------------- > The HTTP GET request given below is sufficient to crash affected server: > http://www.example.com/global/ > > Analysis: > ----------- > #gdb ./elogd > ... > ... > > (gdb) break show_elog_list > Breakpoint 2 at 0x809d6e0 > > (gdb) c > Continuing. > (no debugging symbols found) > elogd 2.6.2 built Nov 8 2006, 01:25:48 revision 1699 > Falling back to default group "elog" > Falling back to default user "elog" > Indexing logbooks ... done > Server listening on port 8080 ... > > Breakpoint 2, 0x0809d6e0 in show_elog_list () > (gdb) c > Continuing. > > Program received signal SIGSEGV, Segmentation fault. > 0x0809eb7a in show_elog_list () > > (gdb) bt > #0 0x0809eb7a in show_elog_list () > #1 0x00000000 in ?? () > > (gdb) i r > eax 0x0 0 > ecx 0x9d43d88 164904328 > edx 0x0 0 > ebx 0x0 0 > esp 0xbfa8aca0 0xbfa8aca0 > ebp 0x80df40c 0x80df40c > esi 0xbfb27050 -1078824880 > edi 0x0 0 > eip 0x809eb7a 0x809eb7a > eflags 0x200246 2097734 > cs 0x73 115 > ss 0x7b 123 > ds 0x7b 123 > es 0x7b 123 > fs 0x0 0 > gs 0x33 51 > > (gdb) x/i $eip > 0x809eb7a <show_elog_list+5274>: mov (%eax),%eax > > The vulnerable code is at Line:16774 of elogd.c, > n_msg = *lbs->n_el_index; > where the pointer lbs is dereferenced before being null checked. > > --- elogd.c, Line:16772 ----- > > } else { > n_logbook = 1; > n_msg = *lbs->n_el_index; > } > > msg_list = xmalloc(sizeof(MSG_LIST) * n_msg); > > ---elogd.c, Line:16778 ----- > > > CVSS Score Report: > ----------------- > ACCESS_VECTOR = REMOTE > ACCESS_COMPLEXITY = LOW > AUTHENTICATION = NOT_REQUIRED > CONFIDENTIALITY_IMPACT = NONE > INTEGRITY_IMPACT = NONE > AVAILABILITY_IMPACT = COMPLETE > IMPACT_BIAS = AVAILABILITY > EXPLOITABILITY = FUNCTIONAL > REMEDIATION_LEVEL = WORKAROUND > REPORT_CONFIDENCE = CONFIRMED > CVSS Base Score = 5.0 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:A) > CVSS Temporal Score = 4.5 > Risk factor = Medium > > > Vendor Response: > --------------- > > > > Solution: > --------- > Before using the pointer, ensure that it is not equal to NULL. > eg: > > if(!lbs->n_el_index) { > /* handle the null pointer dereference condition here */ > } > > Credits: > ------- > Jayesh KS and Arun Kethipelly of OS2A have been credited with the discovery > and > analysis of this vulnerability. > -------- From: OS2A BTO <[EMAIL PROTECTED]> To: Stefan Ritt <[EMAIL PROTECTED]> Date: Wed, Nov 8, 2006 at 7:27 PM Dear Stefan Ritt, Thanks for the quick response. We tested the fix you provided and still seems to be having the problem. We created another logbook named 'global', after the logbook 'demo', in the configuration file elogd.cfg and tried accessing the server with http://elogsite:8080/global/. Its giving segmentation fault. This is the configuration file we used: ------elogd.cfg------------ [global] port = 8080 [demo] Theme = default Comment = General linux tips & tricks Attributes = Author, Type, Category, Subject Options Type = Routine, Software Installation, Problem Fixed, Configuration, Other Options Category = General, Hardware, Software, Network, Other Extendable Options = Category Required Attributes = Author, Type Page Title = ELOG - $subject Reverse sort = 1 Quick filter = Date, Type [global] Theme = default Comment = General linux tips & tricks Attributes = Author, Type, Category, Subject Options Type = Routine, Software Installation, Problem Fixed, Configuration, Other Options Category = General, Hardware, Software, Network, Other Extendable Options = Category Required Attributes = Author, Type Page Title = ELOG - $subject Reverse sort = 1 Quick filter = Date, Type -------------elogd.cfg--------------------- Thanks, OS2A [Quoted text hidden] -------- From: Stefan Ritt <[EMAIL PROTECTED]> To: OS2A BTO <[EMAIL PROTECTED]> Date: Wed, Nov 8, 2006 at 7:39 PM Can you try again? I just updated 2.6.2-7, it's now SVN revision 1747. Having a [global] section plus a [global] logbook is a severe misconfiguration, so I did not try that combination before. But now it should be fixed. - Stefan [Quoted text hidden] -------- From: OS2A BTO <[EMAIL PROTECTED]> To: Stefan Ritt <[EMAIL PROTECTED]> Date: Wed, Nov 8, 2006 at 7:54 PM Hi, If we create any other directory prefixed with global in configuration file, and try the same in URL, it again crashes. I created a logbook names 'global__' in elogd.cfg and tried to access http://192.168.3.5:8080/global__/ it crashed again. ---------------------------------->8--------------------------------------- -- roktas
signature.asc
Description: Digital signature
